Skills
skills/hey-salad/cto-playbook-skill/cto-playbook/Gen Agent Trust Hub

cto-playbook

Pass

Audited by Gen Agent Trust Hub on Mar 7, 2026

Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs the agent to install the uv tool by executing a shell script from astral.sh, which is the official domain for a well-known technology provider. This is documented as a safe operation per trusted source rules.
  • [COMMAND_EXECUTION]: Directs the agent to utilize uvx to run a security scanning utility (snyk-agent-scan) to audit other agent skills for vulnerabilities. This command downloads and runs code from a public registry as part of a security workflow.
  • [PROMPT_INJECTION]: Contains strong persona-defining instructions ("You are operating as a world-class CTO") and mandatory quality gates ("Non-Negotiable", "If in doubt, use this skill") to enforce engineering standards. These patterns are used for quality assurance rather than bypassing safety protocols.
  • [DATA_EXPOSURE]: Lists specific local filesystem paths for agent skill directories (e.g., ~/.claude/skills) to facilitate security scanning, which is a legitimate use of file path information in an administrative context.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 7, 2026, 10:50 AM